Sienna Meridian Satterwhite
7ff35d3e0c
Add new bases for cert-manager (Let's Encrypt + wildcard cert), Longhorn distributed storage, and monitoring (kube-prometheus-stack + Loki + Tempo + Grafana OIDC). Add cloud-init for Scaleway Elastic Metal provisioning. Production overlay: add patches for postgres sizing, SeaweedFS volume, OpenSearch storage, LiveKit service, Pingora host ports, resource limits, and CNPG daily barman backups. Update cert-manager.yaml with full dnsNames for all *.sunbeam.pt subdomains.
33 lines
896 B
YAML
33 lines
896 B
YAML
# Hydra OAuth2Client for Grafana OIDC sign-in.
|
|
#
|
|
# Hydra Maester watches this CRD and:
|
|
# 1. Registers the client with Hydra
|
|
# 2. Creates K8s Secret "grafana-oidc" in monitoring namespace
|
|
# with CLIENT_ID and CLIENT_SECRET keys.
|
|
#
|
|
# Grafana picks up the secret via envFromSecret and interpolates
|
|
# ${CLIENT_ID} / ${CLIENT_SECRET} in grafana.ini at startup.
|
|
#
|
|
# DOMAIN_SUFFIX is substituted by sunbeam apply.
|
|
---
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: grafana
|
|
namespace: monitoring
|
|
spec:
|
|
clientName: Grafana
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile
|
|
redirectUris:
|
|
- https://grafana.DOMAIN_SUFFIX/login/generic_oauth
|
|
postLogoutRedirectUris:
|
|
- https://grafana.DOMAIN_SUFFIX/
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: grafana-oidc
|
|
skipConsent: true
|